@socketsecurity/lib 6.0.7 → 6.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (323) hide show
  1. package/CHANGELOG.md +42 -0
  2. package/README.md +1 -1
  3. package/dist/ai/agent-context.d.mts +103 -0
  4. package/dist/ai/agent-context.js +157 -0
  5. package/dist/ai/backends.d.mts +83 -0
  6. package/dist/ai/backends.js +173 -0
  7. package/dist/ai/credentials.d.mts +49 -0
  8. package/dist/ai/credentials.js +82 -0
  9. package/dist/ai/discover.d.mts +4 -0
  10. package/dist/ai/discover.js +1 -1
  11. package/dist/ai/exec.d.mts +52 -0
  12. package/dist/ai/exec.js +92 -0
  13. package/dist/ai/http.d.mts +132 -0
  14. package/dist/ai/http.js +130 -0
  15. package/dist/ai/profiles.d.mts +41 -6
  16. package/dist/ai/profiles.js +52 -10
  17. package/dist/ai/route.d.mts +82 -0
  18. package/dist/ai/route.js +171 -0
  19. package/dist/ai/spawn.d.mts +42 -2
  20. package/dist/ai/spawn.js +146 -33
  21. package/dist/ai/subagent-status.d.mts +48 -0
  22. package/dist/ai/subagent-status.js +57 -0
  23. package/dist/ai/tier.d.mts +60 -0
  24. package/dist/ai/tier.js +53 -0
  25. package/dist/ai/types.d.mts +25 -2
  26. package/dist/ai/worktree.js +4 -0
  27. package/dist/archives/tar.js +1 -1
  28. package/dist/archives/zip.js +2 -2
  29. package/dist/argv/parse.d.ts +19 -2
  30. package/dist/argv/parse.js +1 -1
  31. package/dist/arrays/join.js +4 -0
  32. package/dist/bin/find.js +4 -4
  33. package/dist/bin/prim.cjs +23322 -18018
  34. package/dist/bin/resolve.js +2 -2
  35. package/dist/cache/ttl/store.js +2 -2
  36. package/dist/cli/check-primordials.d.ts +8 -3
  37. package/dist/cli/check-primordials.js +4 -4
  38. package/dist/compression/_internal.js +1 -1
  39. package/dist/compression/brotli.d.ts +1 -2
  40. package/dist/compression/brotli.js +5 -1
  41. package/dist/compression/gzip.js +5 -1
  42. package/dist/config/layers.d.ts +53 -0
  43. package/dist/config/layers.js +83 -0
  44. package/dist/constants/packages.d.ts +3 -0
  45. package/dist/constants/packages.js +2 -1
  46. package/dist/constants/socket.d.ts +2 -6
  47. package/dist/constants/socket.js +12 -14
  48. package/dist/cover/code.js +2 -2
  49. package/dist/crypto/hash.d.ts +4 -1
  50. package/dist/crypto/hash.js +4 -1
  51. package/dist/dlx/arborist.js +13 -3
  52. package/dist/dlx/binary-cache.js +1 -1
  53. package/dist/dlx/binary-resolution.js +1 -1
  54. package/dist/dlx/detect.d.ts +8 -0
  55. package/dist/dlx/firewall.d.ts +8 -0
  56. package/dist/dlx/lockfile.js +5 -2
  57. package/dist/dlx/manifest.js +1 -1
  58. package/dist/dlx/package.js +4 -0
  59. package/dist/eco/cargo/parse-lockfile.d.ts +1 -2
  60. package/dist/eco/cargo/parse-lockfile.js +3 -3
  61. package/dist/eco/manifest/detect-format.js +1 -1
  62. package/dist/eco/npm/npm/parse-lockfile.d.ts +3 -4
  63. package/dist/eco/npm/npm/parse-lockfile.js +2 -2
  64. package/dist/eco/npm/parse-package-json.d.ts +11 -0
  65. package/dist/eco/npm/parse-package-json.js +1 -1
  66. package/dist/eco/npm/pnpm/parse-lockfile.d.ts +5 -3
  67. package/dist/eco/npm/pnpm/parse-lockfile.js +3 -3
  68. package/dist/eco/npm/yarnpkg/yarn/exec.js +1 -1
  69. package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.d.ts +1 -2
  70. package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +2 -2
  71. package/dist/env/proxy.js +1 -1
  72. package/dist/env/rewire.d.ts +6 -3
  73. package/dist/env/rewire.js +7 -8
  74. package/dist/env/socket.d.ts +7 -0
  75. package/dist/env/socket.js +10 -0
  76. package/dist/env/xdg.d.ts +17 -0
  77. package/dist/env/xdg.js +21 -1
  78. package/dist/errors/predicates.js +1 -1
  79. package/dist/errors/stack.js +1 -2
  80. package/dist/external/@npmcli/package-json.js +3455 -4881
  81. package/dist/external/@npmcli/promise-spawn.js +3 -1
  82. package/dist/external/@yarnpkg/extensions.js +1 -1
  83. package/dist/external/external-pack.js +1 -1
  84. package/dist/external/npm-pack.js +29164 -31799
  85. package/dist/external/pico-pack.js +4 -2
  86. package/dist/external/tar-fs.js +63 -16
  87. package/dist/external/which.js +3 -1
  88. package/dist/external-tools/bazel/asset-names.d.ts +1 -1
  89. package/dist/external-tools/bazel/asset-names.js +5 -2
  90. package/dist/external-tools/bazel/from-download.d.ts +1 -1
  91. package/dist/external-tools/bazel/from-download.js +5 -2
  92. package/dist/external-tools/bazel/resolve-bazel-version.js +4 -0
  93. package/dist/external-tools/bazel/resolve.d.ts +3 -3
  94. package/dist/external-tools/bazel/resolve.js +16 -8
  95. package/dist/external-tools/cdxgen/asset-names.d.ts +1 -1
  96. package/dist/external-tools/cdxgen/asset-names.js +5 -2
  97. package/dist/external-tools/cdxgen/from-download.d.ts +1 -1
  98. package/dist/external-tools/cdxgen/from-download.js +7 -4
  99. package/dist/external-tools/cdxgen/resolve.d.ts +3 -3
  100. package/dist/external-tools/cdxgen/resolve.js +16 -8
  101. package/dist/external-tools/from-download.d.ts +2 -2
  102. package/dist/external-tools/from-download.js +11 -5
  103. package/dist/external-tools/from-pip-venv.d.ts +1 -1
  104. package/dist/external-tools/from-pip-venv.js +12 -5
  105. package/dist/external-tools/janus/asset-names.d.ts +1 -1
  106. package/dist/external-tools/janus/asset-names.js +5 -2
  107. package/dist/external-tools/janus/from-download.d.ts +1 -1
  108. package/dist/external-tools/janus/from-download.js +5 -2
  109. package/dist/external-tools/janus/resolve.d.ts +3 -3
  110. package/dist/external-tools/janus/resolve.js +16 -8
  111. package/dist/external-tools/jre/asset-names.d.ts +1 -1
  112. package/dist/external-tools/jre/asset-names.js +5 -2
  113. package/dist/external-tools/jre/detect-platform-arch.js +1 -1
  114. package/dist/external-tools/jre/from-download.d.ts +1 -1
  115. package/dist/external-tools/jre/from-download.js +7 -4
  116. package/dist/external-tools/jre/from-java-home.js +2 -2
  117. package/dist/external-tools/jre/from-vfs.js +2 -2
  118. package/dist/external-tools/jre/resolve.d.ts +3 -3
  119. package/dist/external-tools/jre/resolve.js +16 -8
  120. package/dist/external-tools/manifest.d.ts +18 -0
  121. package/dist/external-tools/manifest.js +2 -2
  122. package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
  123. package/dist/external-tools/opengrep/asset-names.js +5 -2
  124. package/dist/external-tools/opengrep/from-download.d.ts +1 -1
  125. package/dist/external-tools/opengrep/from-download.js +5 -2
  126. package/dist/external-tools/opengrep/resolve.d.ts +3 -3
  127. package/dist/external-tools/opengrep/resolve.js +16 -8
  128. package/dist/external-tools/python/asset-names.d.ts +1 -1
  129. package/dist/external-tools/python/asset-names.js +11 -4
  130. package/dist/external-tools/python/dlx.d.ts +3 -3
  131. package/dist/external-tools/python/dlx.js +20 -9
  132. package/dist/external-tools/python/from-download.d.ts +1 -1
  133. package/dist/external-tools/python/from-download.js +12 -5
  134. package/dist/external-tools/python/pin.js +6 -3
  135. package/dist/external-tools/python/pip-install.js +6 -3
  136. package/dist/external-tools/python/resolve.d.ts +3 -3
  137. package/dist/external-tools/python/resolve.js +19 -11
  138. package/dist/external-tools/python/uv-install.d.ts +89 -0
  139. package/dist/external-tools/python/uv-install.js +165 -0
  140. package/dist/external-tools/sbt/asset-names.d.ts +1 -1
  141. package/dist/external-tools/sbt/asset-names.js +5 -2
  142. package/dist/external-tools/sbt/from-download.d.ts +1 -1
  143. package/dist/external-tools/sbt/from-download.js +5 -2
  144. package/dist/external-tools/sbt/resolve.d.ts +3 -3
  145. package/dist/external-tools/sbt/resolve.js +16 -8
  146. package/dist/external-tools/skillspector/from-dlx.d.ts +1 -1
  147. package/dist/external-tools/skillspector/from-dlx.js +10 -3
  148. package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
  149. package/dist/external-tools/skillspector/from-uv.js +56 -0
  150. package/dist/external-tools/skillspector/resolve.d.ts +20 -5
  151. package/dist/external-tools/skillspector/resolve.js +27 -6
  152. package/dist/external-tools/skillspector/types.d.ts +3 -1
  153. package/dist/external-tools/synp/asset-names.d.ts +1 -1
  154. package/dist/external-tools/synp/asset-names.js +6 -2
  155. package/dist/external-tools/synp/from-download.d.ts +1 -1
  156. package/dist/external-tools/synp/from-download.js +5 -2
  157. package/dist/external-tools/synp/resolve.d.ts +3 -3
  158. package/dist/external-tools/synp/resolve.js +16 -8
  159. package/dist/external-tools/trivy/asset-names.d.ts +1 -1
  160. package/dist/external-tools/trivy/asset-names.js +5 -2
  161. package/dist/external-tools/trivy/from-download.d.ts +1 -1
  162. package/dist/external-tools/trivy/from-download.js +7 -4
  163. package/dist/external-tools/trivy/resolve.d.ts +3 -3
  164. package/dist/external-tools/trivy/resolve.js +16 -8
  165. package/dist/external-tools/trufflehog/asset-names.d.ts +1 -1
  166. package/dist/external-tools/trufflehog/asset-names.js +5 -2
  167. package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
  168. package/dist/external-tools/trufflehog/from-download.js +7 -4
  169. package/dist/external-tools/trufflehog/resolve.d.ts +3 -3
  170. package/dist/external-tools/trufflehog/resolve.js +16 -8
  171. package/dist/external-tools/uv/asset-names.d.ts +36 -0
  172. package/dist/external-tools/uv/asset-names.js +73 -0
  173. package/dist/external-tools/uv/from-download.d.ts +17 -0
  174. package/dist/external-tools/uv/from-download.js +50 -0
  175. package/dist/external-tools/uv/from-path.d.ts +5 -0
  176. package/dist/external-tools/uv/from-path.js +22 -0
  177. package/dist/external-tools/uv/from-vfs.d.ts +7 -0
  178. package/dist/external-tools/uv/from-vfs.js +26 -0
  179. package/dist/external-tools/uv/resolve.d.ts +25 -0
  180. package/dist/external-tools/uv/resolve.js +61 -0
  181. package/dist/external-tools/uv/types.d.ts +24 -0
  182. package/dist/external-tools/uv/types.js +2 -0
  183. package/dist/fleet/repo-config.d.ts +53 -0
  184. package/dist/fleet/repo-config.js +79 -0
  185. package/dist/fs/allowed-dirs-cache.d.ts +27 -1
  186. package/dist/fs/allowed-dirs-cache.js +39 -6
  187. package/dist/fs/copy.d.ts +88 -0
  188. package/dist/fs/copy.js +89 -0
  189. package/dist/fs/find.js +1 -1
  190. package/dist/fs/read-json-cache.d.ts +7 -0
  191. package/dist/fs/resolve-module.js +6 -2
  192. package/dist/fs/safe.js +1 -1
  193. package/dist/git/_internal.js +3 -3
  194. package/dist/git/repo.js +2 -4
  195. package/dist/git/staged.js +8 -0
  196. package/dist/git/tracked.d.ts +84 -0
  197. package/dist/git/tracked.js +163 -0
  198. package/dist/git/unstaged.js +8 -0
  199. package/dist/github/refs-graphql.js +4 -0
  200. package/dist/github/refs-rest.js +4 -0
  201. package/dist/globs/_internal.js +1 -1
  202. package/dist/globs/match.js +9 -1
  203. package/dist/globs/matcher.js +5 -1
  204. package/dist/http-request/browser.js +7 -3
  205. package/dist/http-request/checksum-file.js +1 -1
  206. package/dist/http-request/{browser-fetch.d.ts → fetch/browser.d.ts} +2 -2
  207. package/dist/http-request/{browser-fetch.js → fetch/browser.js} +4 -4
  208. package/dist/http-request/headers.js +1 -1
  209. package/dist/http-request/request-attempt.js +2 -2
  210. package/dist/http-request/user-agent.js +1 -1
  211. package/dist/integrity.d.ts +124 -71
  212. package/dist/integrity.js +168 -78
  213. package/dist/json/edit.js +38 -30
  214. package/dist/json/format.js +1 -1
  215. package/dist/logger/colors.d.ts +1 -2
  216. package/dist/logger/colors.js +2 -2
  217. package/dist/logger/symbols-builder.js +7 -8
  218. package/dist/logger/symbols.js +8 -8
  219. package/dist/native-messaging/install.d.ts +1 -1
  220. package/dist/native-messaging/install.js +7 -4
  221. package/dist/native-messaging/rate-limit.d.ts +7 -0
  222. package/dist/native-messaging/rate-limit.js +4 -0
  223. package/dist/node/async-hooks.js +1 -1
  224. package/dist/node/child-process.js +1 -1
  225. package/dist/node/crypto.js +1 -1
  226. package/dist/node/events.js +1 -1
  227. package/dist/node/fs-promises.js +1 -1
  228. package/dist/node/fs.d.ts +22 -6
  229. package/dist/node/fs.js +16 -3
  230. package/dist/node/http.js +1 -1
  231. package/dist/node/https.js +1 -1
  232. package/dist/node/module.d.ts +73 -2
  233. package/dist/node/module.js +97 -12
  234. package/dist/node/os.d.ts +10 -2
  235. package/dist/node/os.js +11 -4
  236. package/dist/node/path.d.ts +11 -2
  237. package/dist/node/path.js +17 -4
  238. package/dist/node/timers-promises.js +1 -1
  239. package/dist/node/url.js +1 -1
  240. package/dist/node/util.js +1 -1
  241. package/dist/objects/getters.js +1 -1
  242. package/dist/objects/mutate.js +2 -2
  243. package/dist/packages/edit-class.d.ts +2 -3
  244. package/dist/packages/edit-class.js +41 -35
  245. package/dist/packages/exports.js +4 -4
  246. package/dist/packages/fetch.js +1 -1
  247. package/dist/packages/isolation.js +2 -2
  248. package/dist/packages/licenses.js +2 -2
  249. package/dist/packages/manifest.d.ts +29 -0
  250. package/dist/packages/manifest.js +40 -4
  251. package/dist/packages/normalize.js +2 -2
  252. package/dist/packages/provenance.js +3 -3
  253. package/dist/packages/specs.js +1 -1
  254. package/dist/packages/tarball.js +4 -2
  255. package/dist/packages/types.d.ts +1 -2
  256. package/dist/paths/_internal.d.ts +1 -7
  257. package/dist/paths/_internal.js +9 -15
  258. package/dist/paths/conversion.js +1 -1
  259. package/dist/paths/dirnames.d.ts +1 -0
  260. package/dist/paths/dirnames.js +2 -0
  261. package/dist/paths/normalize.js +1 -1
  262. package/dist/paths/predicates.js +2 -1
  263. package/dist/paths/resolve.js +14 -19
  264. package/dist/paths/rewire.d.ts +5 -0
  265. package/dist/paths/socket.d.ts +137 -123
  266. package/dist/paths/socket.js +172 -131
  267. package/dist/perf/metrics.js +1 -1
  268. package/dist/perf/report.js +1 -1
  269. package/dist/primordials/process.d.ts +88 -0
  270. package/dist/primordials/process.js +132 -0
  271. package/dist/primordials/uncurry.d.ts +1 -2
  272. package/dist/process/spawn/child.js +8 -2
  273. package/dist/process/spawn/errors.js +1 -1
  274. package/dist/releases/github-archives.js +1 -1
  275. package/dist/releases/github-listing.d.ts +1 -2
  276. package/dist/schema/types.d.ts +3 -4
  277. package/dist/schema/validate.js +1 -1
  278. package/dist/secrets/broker.d.ts +35 -0
  279. package/dist/secrets/broker.js +72 -0
  280. package/dist/secrets/find.d.ts +8 -6
  281. package/dist/secrets/find.js +25 -5
  282. package/dist/secrets/keychain.d.ts +1 -1
  283. package/dist/secrets/linux.js +32 -44
  284. package/dist/secrets/macos.d.ts +1 -2
  285. package/dist/secrets/macos.js +20 -29
  286. package/dist/secrets/rc.d.ts +2 -2
  287. package/dist/secrets/rc.js +21 -13
  288. package/dist/secrets/socket-api-token.js +8 -0
  289. package/dist/secrets/windows.js +27 -33
  290. package/dist/shell/parse.d.ts +32 -0
  291. package/dist/shell/parse.js +60 -0
  292. package/dist/smol/detect.js +1 -1
  293. package/dist/smol/http.js +1 -1
  294. package/dist/smol/https.js +1 -1
  295. package/dist/smol/manifest.js +1 -1
  296. package/dist/smol/path.js +1 -1
  297. package/dist/smol/primordial.js +1 -1
  298. package/dist/smol/purl.js +1 -1
  299. package/dist/smol/versions.js +1 -1
  300. package/dist/smol/vfs.js +1 -1
  301. package/dist/sorts/_internal.d.ts +1 -2
  302. package/dist/sorts/_internal.js +2 -6
  303. package/dist/sorts/semver.js +2 -2
  304. package/dist/spinner/create-spinner-class.js +2 -2
  305. package/dist/spinner/spinner-internals.d.ts +1 -1
  306. package/dist/spinner/spinner-internals.js +9 -5
  307. package/dist/spinner/spinner.d.ts +4 -0
  308. package/dist/spinner/spinner.js +1 -1
  309. package/dist/stdio/progress.js +6 -2
  310. package/dist/stdio/prompts.d.ts +2 -10
  311. package/dist/stdio/prompts.js +11 -24
  312. package/dist/strings/format.js +1 -1
  313. package/dist/strings/search.js +1 -1
  314. package/dist/temporal/instant.js +2 -2
  315. package/dist/themes/context.d.ts +5 -3
  316. package/dist/themes/context.js +5 -6
  317. package/dist/url/assert-safe.d.ts +29 -0
  318. package/dist/url/assert-safe.js +54 -0
  319. package/dist/url/predicates.d.ts +31 -1
  320. package/dist/url/predicates.js +42 -1
  321. package/dist/url/types.d.ts +4 -0
  322. package/llms.txt +750 -0
  323. package/package.json +253 -125
@@ -0,0 +1,132 @@
1
+ "use strict";
2
+ /* Socket Lib - Built with rolldown */
3
+ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+
5
+ //#region src/primordials/process.ts
6
+ /**
7
+ * @file Safe call-through accessors for the `process` global's methods and
8
+ * value reads. The `process` object reference is captured once at module load
9
+ * (immune to a later `globalThis.process = …` reassignment), but each method
10
+ * is CALLED at access time off that captured object — so `vi.spyOn(process,
11
+ * 'cwd')`, which mutates the same captured object, still intercepts. Binding
12
+ * the method reference instead (`process.cwd.bind(process)`) would freeze it
13
+ * and break that test seam, so we deliberately keep the late call. Consumers
14
+ * read cwd / platform / env / argv through these instead of touching
15
+ * `process` directly; enforced fleet-wide by
16
+ * `socket/prefer-process-primordial`. This is the `process` leaf of the
17
+ * node-module primordials: where `node/fs` / `node/path` lazy-load a `node:`
18
+ * module behind a function, this captures the always-present `process` global
19
+ * and routes its hot reads through one tamper-resistant surface.
20
+ */
21
+ const SafeProcess = process;
22
+ /**
23
+ * The CPU architecture token (`'x64'` / `'arm64'` / …).
24
+ */
25
+ function processArch() {
26
+ return SafeProcess.arch;
27
+ }
28
+ /**
29
+ * The argv array (`[execPath, scriptPath, ...args]`).
30
+ *
31
+ * @example
32
+ * ;```typescript
33
+ * const entry = processArgv()[1]
34
+ * ```
35
+ */
36
+ function processArgv() {
37
+ return SafeProcess.argv;
38
+ }
39
+ /**
40
+ * The current working directory. Call-through to the captured process's `cwd` —
41
+ * late-bound so test spies still intercept.
42
+ *
43
+ * @example
44
+ * ;```typescript
45
+ * const dir = processCwd()
46
+ * ```
47
+ */
48
+ function processCwd() {
49
+ return SafeProcess.cwd();
50
+ }
51
+ /**
52
+ * Emit a process warning. Call-through so a test spy on `process.emitWarning`
53
+ * still intercepts.
54
+ */
55
+ function processEmitWarning(...args) {
56
+ SafeProcess.emitWarning(...args);
57
+ }
58
+ /**
59
+ * The process environment object. Returns the live `process.env` off the
60
+ * captured process (call-through, so a test that swaps `process.env` is seen).
61
+ *
62
+ * @example
63
+ * ;```typescript
64
+ * const token = processEnv()['SOCKET_API_TOKEN']
65
+ * ```
66
+ */
67
+ function processEnv() {
68
+ return SafeProcess.env;
69
+ }
70
+ /**
71
+ * The absolute path to the Node executable (`process.execPath`).
72
+ */
73
+ function processExecPath() {
74
+ return SafeProcess.execPath;
75
+ }
76
+ /**
77
+ * Schedule a callback on the next tick. Call-through (late-bound).
78
+ */
79
+ function processNextTick(...args) {
80
+ SafeProcess.nextTick(...args);
81
+ }
82
+ /**
83
+ * The process id.
84
+ */
85
+ function processPid() {
86
+ return SafeProcess.pid;
87
+ }
88
+ /**
89
+ * The OS platform token (`'darwin'` / `'linux'` / `'win32'` / …).
90
+ *
91
+ * @example
92
+ * ;```typescript
93
+ * if (processPlatform() === 'win32') { … }
94
+ * ```
95
+ */
96
+ function processPlatform() {
97
+ return SafeProcess.platform;
98
+ }
99
+ /**
100
+ * The standard error stream. Returned off the captured process so a test that
101
+ * spies on `process.stderr.write` still intercepts.
102
+ */
103
+ function processStderr() {
104
+ return SafeProcess.stderr;
105
+ }
106
+ /**
107
+ * The standard output stream. Returned off the captured process so a test that
108
+ * spies on `process.stdout.write` still intercepts.
109
+ */
110
+ function processStdout() {
111
+ return SafeProcess.stdout;
112
+ }
113
+ /**
114
+ * The Node version string (`process.version`, e.g. `'v26.2.0'`).
115
+ */
116
+ function processVersion() {
117
+ return SafeProcess.version;
118
+ }
119
+
120
+ //#endregion
121
+ exports.processArch = processArch;
122
+ exports.processArgv = processArgv;
123
+ exports.processCwd = processCwd;
124
+ exports.processEmitWarning = processEmitWarning;
125
+ exports.processEnv = processEnv;
126
+ exports.processExecPath = processExecPath;
127
+ exports.processNextTick = processNextTick;
128
+ exports.processPid = processPid;
129
+ exports.processPlatform = processPlatform;
130
+ exports.processStderr = processStderr;
131
+ exports.processStdout = processStdout;
132
+ exports.processVersion = processVersion;
@@ -12,7 +12,6 @@
12
12
  export declare const uncurryThis: <T, A extends readonly unknown[], R>(fn: (this: T, ...args: A) => R) => (self: T, ...args: A) => R;
13
13
  export declare const applyBind: <T, A extends readonly unknown[], R>(fn: (this: T, ...args: A) => R) => (self: T, args: A) => R;
14
14
  export declare const applySafe: <T, A extends readonly unknown[], R>(fn: (this: T, ...args: A) => R) => (self: T, args: A) => R | undefined;
15
- type BindCall = <T, P extends readonly unknown[], A extends readonly unknown[], R>(fn: (this: T, ...args: [...P, ...A]) => R, thisArg: T, ...presetArgs: P) => (...newArgs: A) => R;
15
+ export type BindCall = <T, P extends readonly unknown[], A extends readonly unknown[], R>(fn: (this: T, ...args: [...P, ...A]) => R, thisArg: T, ...presetArgs: P) => (...newArgs: A) => R;
16
16
  export declare const bindCall: BindCall;
17
17
  export declare const weakRefSafe: <T extends object | symbol>(target: T) => WeakRef<T> | undefined;
18
- export {};
@@ -72,7 +72,10 @@ function spawn(cmd, args, options, extra) {
72
72
  /* c8 ignore start - Windows-only cmd.exe extension stripping for
73
73
  .cmd/.bat/.ps1 shell-true execution. Tested on Windows runners. */
74
74
  if (node_process.default.platform === "win32" && shell && require_primordials_regexp.RegExpPrototypeTest(require_process_spawn__internal.windowsScriptExtRegExp, actualCmd)) {
75
- if (!require_paths_predicates.isPath(actualCmd)) actualCmd = require_node_path.getNodePath().basename(actualCmd, require_node_path.getNodePath().extname(actualCmd));
75
+ if (!require_paths_predicates.isPath(actualCmd)) {
76
+ const path = require_node_path.getNodePath();
77
+ actualCmd = path.basename(actualCmd, path.extname(actualCmd));
78
+ }
76
79
  }
77
80
  const shouldStopSpinner = !!spinnerInstance?.isSpinning && !require_process_spawn_stdio.isStdioType(stdio, "ignore") && !require_process_spawn_stdio.isStdioType(stdio, "pipe");
78
81
  const shouldRestartSpinner = shouldStopSpinner;
@@ -150,7 +153,10 @@ function spawnSync(cmd, args, options) {
150
153
  /* c8 ignore start - Windows-only cmd.exe extension stripping for
151
154
  .cmd/.bat/.ps1 shell-true execution. Tested on Windows runners. */
152
155
  if (node_process.default.platform === "win32" && shell && require_primordials_regexp.RegExpPrototypeTest(require_process_spawn__internal.windowsScriptExtRegExp, actualCmd)) {
153
- if (!require_paths_predicates.isPath(actualCmd)) actualCmd = require_node_path.getNodePath().basename(actualCmd, require_node_path.getNodePath().extname(actualCmd));
156
+ if (!require_paths_predicates.isPath(actualCmd)) {
157
+ const path = require_node_path.getNodePath();
158
+ actualCmd = path.basename(actualCmd, path.extname(actualCmd));
159
+ }
154
160
  }
155
161
  /* c8 ignore stop */
156
162
  const { stripAnsi: shouldStripAnsi = true, ...rawSpawnOptions } = {
@@ -3,8 +3,8 @@
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_primordials_error = require('../../primordials/error.js');
5
5
  const require_primordials_object = require('../../primordials/object.js');
6
- const require_primordials_reflect = require('../../primordials/reflect.js');
7
6
  const require_objects_predicates = require('../../objects/predicates.js');
7
+ const require_primordials_reflect = require('../../primordials/reflect.js');
8
8
  const require_process_spawn__internal = require('./_internal.js');
9
9
  let src_external_pony_cause = require("../../external/pony-cause");
10
10
 
@@ -4,8 +4,8 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_primordials_error = require('../primordials/error.js');
5
5
  const require_node_path = require('../node/path.js');
6
6
  const require_logger_default = require('../logger/default.js');
7
- const require_archives_detect = require('../archives/detect.js');
8
7
  const require_fs_safe = require('../fs/safe.js');
8
+ const require_archives_detect = require('../archives/detect.js');
9
9
  const require_archives_extract = require('../archives/extract.js');
10
10
  const require_releases_github_downloads = require('./github-downloads.js');
11
11
 
@@ -17,7 +17,7 @@ import type { AssetPattern, RepoConfig } from './github-types';
17
17
  * output to this shape so downstream code is unaware of which transport
18
18
  * produced the data.
19
19
  */
20
- interface ReleaseRow {
20
+ export interface ReleaseRow {
21
21
  tag_name: string;
22
22
  published_at: string;
23
23
  assets: Array<{
@@ -111,4 +111,3 @@ export declare function getLatestRelease(toolPrefix: string, repoConfig: RepoCon
111
111
  * non-string/Buffer bodies; parse the rest. Throws on genuine parse failure.
112
112
  */
113
113
  export declare function parseResponseBody(body: unknown): unknown;
114
- export {};
@@ -62,7 +62,7 @@ export interface Schema<T = unknown> {
62
62
  *
63
63
  * @internal
64
64
  */
65
- interface ZodV4LikeSchema<O = unknown> {
65
+ export interface ZodV4LikeSchema<O = unknown> {
66
66
  _zod: {
67
67
  output: O;
68
68
  };
@@ -74,7 +74,7 @@ interface ZodV4LikeSchema<O = unknown> {
74
74
  *
75
75
  * @internal
76
76
  */
77
- interface ZodV3LikeSchema<O = unknown> {
77
+ export interface ZodV3LikeSchema<O = unknown> {
78
78
  _output: O;
79
79
  safeParse(data: unknown): unknown;
80
80
  }
@@ -85,7 +85,7 @@ interface ZodV3LikeSchema<O = unknown> {
85
85
  *
86
86
  * @internal
87
87
  */
88
- interface TypeBoxLikeSchema {
88
+ export interface TypeBoxLikeSchema {
89
89
  static: unknown;
90
90
  }
91
91
  /**
@@ -130,4 +130,3 @@ export type ValidateResult<T> = {
130
130
  ok: false;
131
131
  errors: ValidationIssue[];
132
132
  };
133
- export {};
@@ -2,9 +2,9 @@
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_primordials_error = require('../primordials/error.js');
5
+ const require_primordials_object = require('../primordials/object.js');
5
6
  const require_primordials_number = require('../primordials/number.js');
6
7
  const require_primordials_array = require('../primordials/array.js');
7
- const require_primordials_object = require('../primordials/object.js');
8
8
 
9
9
  //#region src/schema/validate.ts
10
10
  /**
@@ -0,0 +1,35 @@
1
+ /**
2
+ * @file Proteus broker client. Asks the running proteus credential daemon for a
3
+ * secret over its local Unix socket (Windows named pipe later), so a
4
+ * biometric-gated read happens inside the daemon and the value is vended to
5
+ * this process in memory rather than sitting in an env var. This is the layer
6
+ * `ai/credentials.mts` documents as slotting between the env check and the
7
+ * keychain read in `secrets/find.ts` `resolve()`.
8
+ * The broker is OPTIONAL and self-gating: when the daemon isn't running (no
9
+ * socket file), `requestFromBroker` returns `undefined` immediately and the
10
+ * caller falls through to the keychain. It never throws — a broker miss is a
11
+ * fall-through, not an error. The daemon binary itself is built by socket-btm
12
+ * (`packages/proteus-builder`); download-and-start is a later layer, so today
13
+ * this only talks to an already-running daemon.
14
+ */
15
+ export interface BrokerRequestOptions {
16
+ /**
17
+ * The keychain service scope (e.g. `socketsecurity`).
18
+ */
19
+ readonly service: string;
20
+ /**
21
+ * The account within the service (e.g. `ANTHROPIC_API_KEY`).
22
+ */
23
+ readonly account: string;
24
+ }
25
+ export interface BrokerResponse {
26
+ readonly ok?: boolean | undefined;
27
+ readonly value?: string | undefined;
28
+ }
29
+ /**
30
+ * Ask the proteus daemon for a credential. Returns the value on success, or
31
+ * `undefined` when the daemon isn't running, doesn't hold it, or the biometric
32
+ * prompt was declined. Never throws: a miss falls through to the next resolver
33
+ * layer (the keychain).
34
+ */
35
+ export declare function requestFromBroker({ account, service, }: BrokerRequestOptions): Promise<string | undefined>;
@@ -0,0 +1,72 @@
1
+ "use strict";
2
+ /* Socket Lib - Built with rolldown */
3
+ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+ const require_runtime = require('../_virtual/_rolldown/runtime.js');
5
+ const require_paths_socket = require('../paths/socket.js');
6
+ let node_fs = require("node:fs");
7
+ let node_net = require("node:net");
8
+ node_net = require_runtime.__toESM(node_net);
9
+
10
+ //#region src/secrets/broker.ts
11
+ /**
12
+ * @file Proteus broker client. Asks the running proteus credential daemon for a
13
+ * secret over its local Unix socket (Windows named pipe later), so a
14
+ * biometric-gated read happens inside the daemon and the value is vended to
15
+ * this process in memory rather than sitting in an env var. This is the layer
16
+ * `ai/credentials.mts` documents as slotting between the env check and the
17
+ * keychain read in `secrets/find.ts` `resolve()`.
18
+ * The broker is OPTIONAL and self-gating: when the daemon isn't running (no
19
+ * socket file), `requestFromBroker` returns `undefined` immediately and the
20
+ * caller falls through to the keychain. It never throws — a broker miss is a
21
+ * fall-through, not an error. The daemon binary itself is built by socket-btm
22
+ * (`packages/proteus-builder`); download-and-start is a later layer, so today
23
+ * this only talks to an already-running daemon.
24
+ */
25
+ const PROTEUS_SOCKET_NAME = "proteus";
26
+ const BROKER_TIMEOUT_MS = 1e3;
27
+ /**
28
+ * Ask the proteus daemon for a credential. Returns the value on success, or
29
+ * `undefined` when the daemon isn't running, doesn't hold it, or the biometric
30
+ * prompt was declined. Never throws: a miss falls through to the next resolver
31
+ * layer (the keychain).
32
+ */
33
+ async function requestFromBroker({ account, service }) {
34
+ const socketPath = require_paths_socket.getRuntimeSocketPath(PROTEUS_SOCKET_NAME);
35
+ if (!(0, node_fs.existsSync)(socketPath)) return;
36
+ return await new Promise((resolvePromise) => {
37
+ const conn = node_net.default.connect(socketPath);
38
+ let buffer = "";
39
+ let settled = false;
40
+ function settle(value) {
41
+ if (settled) return;
42
+ settled = true;
43
+ conn.destroy();
44
+ resolvePromise(value);
45
+ }
46
+ conn.setTimeout(BROKER_TIMEOUT_MS);
47
+ conn.on("timeout", () => settle(void 0));
48
+ conn.on("error", () => settle(void 0));
49
+ conn.on("connect", () => {
50
+ const payload = JSON.stringify({
51
+ account,
52
+ op: "get",
53
+ service
54
+ });
55
+ conn.write(`${payload}\n`);
56
+ });
57
+ conn.on("data", (chunk) => {
58
+ buffer += String(chunk);
59
+ const newlineAt = buffer.indexOf("\n");
60
+ if (newlineAt === -1) return;
61
+ try {
62
+ const parsed = JSON.parse(buffer.slice(0, newlineAt));
63
+ settle(parsed.ok && typeof parsed.value === "string" ? parsed.value : void 0);
64
+ } catch {
65
+ settle(void 0);
66
+ }
67
+ });
68
+ });
69
+ }
70
+
71
+ //#endregion
72
+ exports.requestFromBroker = requestFromBroker;
@@ -51,10 +51,11 @@ export interface ResolveResult {
51
51
  value: string;
52
52
  /**
53
53
  * Where the value came from: 'env' — `process.env[<account>]` had a non-empty
54
- * value. 'keychain' — env-var was empty/missing; the value was read from the
55
- * OS credential store under the matching account.
54
+ * value. 'broker' — the proteus daemon vended it after a biometric unlock.
55
+ * 'keychain' env-var was empty and no broker was running; the value was
56
+ * read from the OS credential store under the matching account.
56
57
  */
57
- source: 'env' | 'keychain';
58
+ source: 'broker' | 'env' | 'keychain';
58
59
  /**
59
60
  * Which account in `accounts` was the actual hit.
60
61
  */
@@ -71,9 +72,10 @@ export declare function readEnv(name: string): string | undefined;
71
72
  * `undefined` when neither source has the value — the caller's signal to prompt
72
73
  * the user or surface a setup hint.
73
74
  */
74
- export declare function resolve(opts: ResolveOptions): Promise<ResolveResult | undefined>;
75
+ export declare function resolve(options: ResolveOptions): Promise<ResolveResult | undefined>;
75
76
  /**
76
77
  * Sync variant for non-async callers (hook initializers, schema validators that
77
- * run before any `await` machinery exists).
78
+ * run before any `await` machinery exists). Has no proteus broker tier — the
79
+ * broker socket round-trip is async — so this path is env → keychain only.
78
80
  */
79
- export declare function resolveSync(opts: ResolveOptions): ResolveResult | undefined;
81
+ export declare function resolveSync(options: ResolveOptions): ResolveResult | undefined;
@@ -1,6 +1,7 @@
1
1
  "use strict";
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+ const require_secrets_broker = require('./broker.js');
4
5
  const require_secrets_keychain = require('./keychain.js');
5
6
 
6
7
  //#region src/secrets/find.ts
@@ -42,8 +43,11 @@ function readEnv(name) {
42
43
  * `undefined` when neither source has the value — the caller's signal to prompt
43
44
  * the user or surface a setup hint.
44
45
  */
45
- async function resolve(opts) {
46
- const { accounts, allowEnvOnly, service } = opts;
46
+ async function resolve(options) {
47
+ const { accounts, allowEnvOnly, service } = {
48
+ __proto__: null,
49
+ ...options
50
+ };
47
51
  for (let i = 0, { length } = accounts; i < length; i += 1) {
48
52
  const account = accounts[i];
49
53
  const fromEnv = readEnv(account);
@@ -54,6 +58,18 @@ async function resolve(opts) {
54
58
  };
55
59
  }
56
60
  if (allowEnvOnly) return;
61
+ for (let i = 0, { length } = accounts; i < length; i += 1) {
62
+ const account = accounts[i];
63
+ const fromBroker = await require_secrets_broker.requestFromBroker({
64
+ account,
65
+ service
66
+ });
67
+ if (fromBroker) return {
68
+ value: fromBroker,
69
+ source: "broker",
70
+ account
71
+ };
72
+ }
57
73
  for (let i = 0, { length } = accounts; i < length; i += 1) {
58
74
  const account = accounts[i];
59
75
  const fromKeychain = await require_secrets_keychain.readSecret({
@@ -69,10 +85,14 @@ async function resolve(opts) {
69
85
  }
70
86
  /**
71
87
  * Sync variant for non-async callers (hook initializers, schema validators that
72
- * run before any `await` machinery exists).
88
+ * run before any `await` machinery exists). Has no proteus broker tier — the
89
+ * broker socket round-trip is async — so this path is env → keychain only.
73
90
  */
74
- function resolveSync(opts) {
75
- const { accounts, allowEnvOnly, service } = opts;
91
+ function resolveSync(options) {
92
+ const { accounts, allowEnvOnly, service } = {
93
+ __proto__: null,
94
+ ...options
95
+ };
76
96
  for (let i = 0, { length } = accounts; i < length; i += 1) {
77
97
  const account = accounts[i];
78
98
  const fromEnv = readEnv(account);
@@ -46,7 +46,7 @@ export declare function deleteSecretFromSlotsSync({ service, accounts, }: Delete
46
46
  export declare function deleteSecretSync({ service, account, }: DeleteOptions): 'removed' | 'absent';
47
47
  export type { BackendAvailability, SecretDeleteResult, SecretWriteResult, } from './types';
48
48
  export type { SecretSlot } from './types';
49
- type Platform = 'darwin' | 'linux' | 'win32' | 'other';
49
+ export type Platform = 'darwin' | 'linux' | 'win32' | 'other';
50
50
  /**
51
51
  * Resolve the current OS to one of our four backend categories.
52
52
  *
@@ -46,32 +46,25 @@ function isLinuxBackendAvailable() {
46
46
  return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, ["--version"], { stdio: "ignore" }).status === 0;
47
47
  }
48
48
  async function readLinux(service, account) {
49
- return new require_primordials_promise.PromiseCtor((resolve) => {
50
- const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
49
+ try {
50
+ const r = await (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
51
51
  "lookup",
52
52
  "service",
53
53
  service,
54
54
  "user",
55
55
  account
56
- ], { stdio: [
57
- "ignore",
58
- "pipe",
59
- "pipe"
60
- ] });
61
- let stdout = "";
62
- cp.stdout.setEncoding("utf8");
63
- cp.stdout.on("data", (chunk) => {
64
- stdout += chunk;
65
- });
66
- cp.on("error", () => resolve(void 0));
67
- cp.on("close", (status) => {
68
- if (status !== 0) {
69
- resolve(void 0);
70
- return;
71
- }
72
- resolve(stdout.trim() || void 0);
56
+ ], {
57
+ stdio: [
58
+ "ignore",
59
+ "pipe",
60
+ "pipe"
61
+ ],
62
+ stdioString: true
73
63
  });
74
- });
64
+ return String(r.stdout ?? "").trim() || void 0;
65
+ } catch {
66
+ return;
67
+ }
75
68
  }
76
69
  function readLinuxSync(service, account) {
77
70
  const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
@@ -92,34 +85,29 @@ function readLinuxSync(service, account) {
92
85
  return r.stdout.trim() || void 0;
93
86
  }
94
87
  async function writeLinux(service, account, value, label) {
95
- return new require_primordials_promise.PromiseCtor((resolve, reject) => {
96
- const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
97
- "store",
98
- `--label=${label}`,
99
- "service",
100
- service,
101
- "user",
102
- account
103
- ], { stdio: [
88
+ const hint = "Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.";
89
+ const child = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
90
+ "store",
91
+ `--label=${label}`,
92
+ "service",
93
+ service,
94
+ "user",
95
+ account
96
+ ], {
97
+ stdio: [
104
98
  "pipe",
105
99
  "pipe",
106
100
  "pipe"
107
- ] });
108
- let stderr = "";
109
- cp.stderr.setEncoding("utf8");
110
- cp.stderr.on("data", (chunk) => {
111
- stderr += chunk;
112
- });
113
- cp.on("error", (err) => reject(/* @__PURE__ */ new Error(`secret-tool store failed: ${err.message}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`)));
114
- cp.on("close", (status) => {
115
- if (status === 0) {
116
- resolve();
117
- return;
118
- }
119
- reject(/* @__PURE__ */ new Error(`secret-tool store failed (status=${status}, user=${account}): ${stderr.trim()}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`));
120
- });
121
- cp.stdin.end(value);
101
+ ],
102
+ stdioString: true
122
103
  });
104
+ child.process.stdin.end(value);
105
+ try {
106
+ await child;
107
+ } catch (e) {
108
+ const err = e;
109
+ throw new require_primordials_error.ErrorCtor(`secret-tool store failed (status=${typeof err?.code === "number" ? err.code : -1}, user=${account}): ${String(err?.stderr ?? err?.message ?? "").trim()}. ${hint}`);
110
+ }
123
111
  }
124
112
  function writeLinuxSync(service, account, value, label) {
125
113
  const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
@@ -23,7 +23,7 @@ export declare function deleteMacOSSync(service: string, account: string): 'remo
23
23
  export declare function isMacOSBackendAvailable(): boolean;
24
24
  export declare function readMacOS(service: string, account: string): Promise<string | undefined>;
25
25
  export declare function readMacOSSync(service: string, account: string): string | undefined;
26
- interface SpawnOpts {
26
+ export interface SpawnOpts {
27
27
  stdio?: 'ignore' | 'pipe' | ['ignore', 'pipe', 'pipe'] | undefined;
28
28
  }
29
29
  export declare function runAsync(args: readonly string[], opts?: SpawnOpts): Promise<{
@@ -33,4 +33,3 @@ export declare function runAsync(args: readonly string[], opts?: SpawnOpts): Pro
33
33
  }>;
34
34
  export declare function writeMacOS(service: string, account: string, value: string, label: string): Promise<void>;
35
35
  export declare function writeMacOSSync(service: string, account: string, value: string, label: string): void;
36
- export {};
@@ -2,7 +2,6 @@
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_primordials_error = require('../primordials/error.js');
5
- const require_primordials_promise = require('../primordials/promise.js');
6
5
  let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
7
6
 
8
7
  //#region src/secrets/macos.ts
@@ -79,38 +78,30 @@ function readMacOSSync(service, account) {
79
78
  if (r.status !== 0) return;
80
79
  return r.stdout.trim() || void 0;
81
80
  }
82
- function runAsync(args, opts = {}) {
83
- return new require_primordials_promise.PromiseCtor((resolve) => {
84
- const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECURITY_BIN, args, { stdio: opts.stdio ?? [
81
+ async function runAsync(args, opts = {}) {
82
+ const child = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECURITY_BIN, args, {
83
+ stdio: opts.stdio ?? [
85
84
  "ignore",
86
85
  "pipe",
87
86
  "pipe"
88
- ] });
89
- let stdout = "";
90
- let stderr = "";
91
- if (cp.stdout) {
92
- cp.stdout.setEncoding("utf8");
93
- cp.stdout.on("data", (chunk) => {
94
- stdout += chunk;
95
- });
96
- }
97
- if (cp.stderr) {
98
- cp.stderr.setEncoding("utf8");
99
- cp.stderr.on("data", (chunk) => {
100
- stderr += chunk;
101
- });
102
- }
103
- cp.on("error", () => resolve({
104
- status: -1,
105
- stdout,
106
- stderr
107
- }));
108
- cp.on("close", (status) => resolve({
109
- status,
110
- stdout,
111
- stderr
112
- }));
87
+ ],
88
+ stdioString: true
113
89
  });
90
+ try {
91
+ const r = await child;
92
+ return {
93
+ status: typeof r.code === "number" ? r.code : null,
94
+ stderr: String(r.stderr ?? ""),
95
+ stdout: String(r.stdout ?? "")
96
+ };
97
+ } catch (e) {
98
+ const err = e;
99
+ return {
100
+ status: typeof err?.code === "number" ? err.code : -1,
101
+ stderr: String(err?.stderr ?? ""),
102
+ stdout: String(err?.stdout ?? "")
103
+ };
104
+ }
114
105
  }
115
106
  async function writeMacOS(service, account, value, label) {
116
107
  const r = await runAsync([
@@ -37,7 +37,7 @@
37
37
  * non-interactive shells (Claude Code, IDE plugins, CI runners) skip .zshrc
38
38
  * and would miss the export.
39
39
  */
40
- export declare function buildBlock(opts: WriteOptions): {
40
+ export declare function buildBlock(options: WriteOptions): {
41
41
  begin: string;
42
42
  end: string;
43
43
  body: string;
@@ -126,7 +126,7 @@ export declare function shellSingleQuote(value: string): string;
126
126
  * `shell` and `rcPath` override the auto-detected target — useful for chezmoi /
127
127
  * dotfile-manager users or installers running under a non-default shell.
128
128
  */
129
- export declare function write(opts: WriteOptions): WriteResult;
129
+ export declare function write(options: WriteOptions): WriteResult;
130
130
  /**
131
131
  * Internal: write an rc file with 0o600 (owner-only). The rc file embeds a
132
132
  * literal SOCKET_API_KEY value so the shell rc can `export` it on session start